video: tegra: host: Fix crash if allocation fails
Tuomas Tynkkynen [Thu, 16 Aug 2012 16:56:51 +0000 (19:56 +0300)]
nvhost_module_remove_client assumes that a client structure
to be freed exists in the linked list. However, if an allocation fails
in nvhost_module_add_client, no client structure is allocated, and
during cleanup, nvhost_module_remove_client would then attempt
to free an invalid pointer.

Bug 1034729

Change-Id: Ie1a641071b86f8246951e9be824a6003f14b04b6
Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com>
Reviewed-on: http://git-master/r/124096
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Juha Tukkinen <jtukkinen@nvidia.com>

drivers/video/tegra/host/bus_client.c
drivers/video/tegra/host/nvhost_acm.c

index 0137793..aaa0382 100644 (file)
@@ -159,7 +159,8 @@ static int nvhost_channelopen(struct inode *inode, struct file *filp)
        }
        filp->private_data = priv;
        priv->ch = ch;
-       nvhost_module_add_client(ch->dev, priv);
+       if(nvhost_module_add_client(ch->dev, priv))
+               goto fail;
 
        if (ch->ctxhandler && ch->ctxhandler->alloc) {
                priv->hwctx = ch->ctxhandler->alloc(ch->ctxhandler, ch);
index 06005c4..76304d6 100644 (file)
@@ -343,15 +343,17 @@ void nvhost_module_remove_client(struct nvhost_device *dev, void *priv)
 {
        int i;
        struct nvhost_module_client *m;
+       int found = 0;
 
        mutex_lock(&client_list_lock);
        list_for_each_entry(m, &dev->client_list, node) {
                if (priv == m->priv) {
                        list_del(&m->node);
+                       found = 1;
                        break;
                }
        }
-       if (m) {
+       if (found) {
                kfree(m);
                for (i = 0; i < dev->num_clks; i++)
                        nvhost_module_update_rate(dev, i);